Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1

To: Adrian Bunk <bunk@stusta.de>
Cc: 846113@bugs.debian.org, pkg-openssl-devel@lists.alioth.debian.org
Subject: Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 30 Nov 2016 21:43:48 +0100
Message-id: <[🔎] 20161130204348.i7kqkwasxvlxuzlr@breakpoint.cc>
Reply-to: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 846113@bugs.debian.org
In-reply-to: <[🔎] 20161129231609.t7f3fdlcih54aq4f@bunk.spdns.de>
References: <[🔎] 148034457551.23167.15174050848409011793.reportbug@localhost> <[🔎] 20161129225019.f2xqpsea5q4otq6g@breakpoint.cc> <[🔎] 20161129231609.t7f3fdlcih54aq4f@bunk.spdns.de>

On 2016-11-30 01:16:09 [+0200], Adrian Bunk wrote:
> > I though we agreed not to tag this as a patch
> 
> Where did I agree to that?

The last time I pointed it out and you replied that the problem is that
"two things are tracked in one bug but it can't be cloned".

> > but as a hint what can be
> > done if the maintainer chooses to stay with 1.0.
> 
> Reality in Debian is that a large amount of packages is not well 
> maintained, polygraph is actually orphaned.

It received uploads since I orphaned it so I wouldn't say that it is not
well maintained. However the last upload lost SSL on its way to the
archive so it is 50-50 :)

> > Do you expect this bug
> > to be closed once it switches to libsl1.0-dev?
> 
> The thing I do care about is not the patch tag, the thing I do care 
> about is that we are not losing any packages in stretch due to the
> whole OpenSSL situation.

Yes? So you switch to 1.0.2 for a package that is not well maintained
and we get back here in Buster but we don't lose a package in Stretch?
It has low popcon and if it wouldn't be you, then we probably would have
polygraph without SSL. And looking at my tracker there are more packages
that depend on libssl-dev and don't link against it.

> A patch tag makes it visible that there is a solution for the RC issue 
> in stretch.

I attached a patch which builds against 1.1.0. Lets see if somebody is
able to test it.

> Who is going to do the uploads for the ~ 100 not well maintained 
> packages that need to be switched to 1.0.2?
> 
> Will you do these?
If the release team says we have to finish the asap then I will step up
and try my best.

> It should be your job for making dual 1.0.2/1.1 work.
> 
> Or will you at least sponsor me, if I send you a batch of 100 NMUs and 
> QA uploads switching packages to 1.0.2?

If the 100 NMUs are tested and not just switched the build-depends then
maybe. But as you see here, you don't need special powers to get things
compiled with 1.1.0. I actually spent more time writing this email than
the patch. And I would like to avoid switching B-D now and looking at it
again after the release.

> cu
> Adrian

Sebastian

>From dc21aa1a25fa59e3e667cff8487f971dd74a3d0a Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 30 Nov 2016 20:10:36 +0000
Subject: [PATCH] polygraph: get it built with openssl 1.1.0

It does not complain if openssl is not found during ./configure
- probe for existing symbols
- drop old SSLv2 check
- add headers for functions which were included previously via openssl's
  headers.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
 configure.in           | 4 ++--
 src/client/NtlmAuth.cc | 1 +
 src/xstd/Ssl.cc        | 2 ++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/configure.in b/configure.in
index 4ae562f6b87b..4708118fb3b4 100644
--- a/configure.in
+++ b/configure.in
@@ -278,7 +278,7 @@ else
 		 OLDCPPFLAGS="$CPPFLAGS"
 		 LDFLAGS="$CLEANLDFLAGS -L$EXTRA_SSL/lib"
 		 CPPFLAGS="$CLEANCPPFLAGS -I$EXTRA_SSL/include"
-		 AC_CHECK_LIB(crypto, CRYPTO_add_lock,[
+		 AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new,[
 			 HAVECRYPTO="yes" ], [
 			 LDFLAGS="$OLDLDFLAGS"
 			 CPPFLAGS="$OLDCPPFLAGS"
@@ -292,7 +292,7 @@ else
 		dnl this is only reasonable to do if crypto actually is there
 		dnl it is important to do this _after_ the crypto lib
 
-		AC_CHECK_LIB(crypto, CRYPTO_add_lock)
+		AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new)
 		AC_CHECK_LIB(ssl, SSL_connect)
 
 		if test "$ac_cv_lib_ssl_SSL_connect" != yes
diff --git a/src/client/NtlmAuth.cc b/src/client/NtlmAuth.cc
index e56f6218c775..9f63ff8283b8 100644
--- a/src/client/NtlmAuth.cc
+++ b/src/client/NtlmAuth.cc
@@ -22,6 +22,7 @@
 #include <stdarg.h>
 #include <stdlib.h>
 #include <ctype.h>
+#include <string.h>
 
 #include "client/NtlmAuth.h"
 #include "client/SpnegoCodec.h"
diff --git a/src/xstd/Ssl.cc b/src/xstd/Ssl.cc
index 4cdf2fe31259..af30f86face9 100644
--- a/src/xstd/Ssl.cc
+++ b/src/xstd/Ssl.cc
@@ -31,9 +31,11 @@ SslCtx::SslCtx(SslProtocol protocol, const String &cipher): theCtx(0) {
 	 * build. */
 	switch(protocol) {
 		case SSLv2:
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 #ifndef OPENSSL_NO_SSL2
 			theCtx = ::SSL_CTX_new(::SSLv2_method());
 #endif
+#endif
 			break;
 		case TLSv1:
 			theCtx = ::SSL_CTX_new(::TLSv1_method());
-- 
2.10.2

Reply to:

Follow-Ups:
- Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
  - From: Adrian Bunk <bunk@stusta.de>

References:
- Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
  - From: Adrian Bunk <bunk@stusta.de>
- Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
  - From: Adrian Bunk <bunk@stusta.de>

Prev by Date: sendmail_8.15.2-7_source.changes ACCEPTED into unstable
Next by Date: Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
Previous by thread: Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
Next by thread: Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1
Index(es):
- Date
- Thread